Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

I think if you just include osC_Sec as normal but leave out the other custom code changes that were specifically for 2.2 then it will work fine.

 

Because osCommerce sets PHP_SELF further down in the scope, it doesn't matter what osC_Sec does earlier, it will be overwritten. Let me know how it goes for you.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

Hi

 

I have just been trying to run a cron job and find when the script is run via a url in a browser it works fine but from the command line it generates error messages and the files it is supposed to create/update are not updated.

 

Via url you get these error messages and the sitemap files are generated

Notice: Undefined variable: cPath_array in /homepages/x/includes/application_top.php on line 534

Notice: Undefined variable: cPath_array in /homepages/x/includes/application_top.php on line 534

Write /homepages/x/sitemapproducts.xml
Generated Google Product Sitemap Successfully

Write /homepages//itemapcategories.xml
Generated Google Category Sitemap Successfully

Write /homepages/sitemapmanufacturers.xml
Generated Google Manufacturers Sitemap Successfully

Write /homepages/sitemapspecials.xml
Generated Google Specials Sitemap Successfully

Write /homepages/sitemapindex.xml
Generated Google Sitemap Index Successfully

CONGRATULATIONS! All files generated successfully.

If you have not already submitted the sitemap index to Google click the link below.
Before you do I HIGHLY recommend that you view the XML files to make sure the data is correct.

http://www.google.com/webmasters/sitemaps/ping?sitemap=http%3A%2F%2Fwww.xxx.ca%2Fsitemapindex.xml

For your convenience here is the CRON command for your site:
php /kunden/homepages/x/googlesitemap/index.php

Here is your sitemap index: http://www.xxx.ca/sitemapindex.xml
Here is your product sitemap: http://www.xxx.ca/sitemapproducts.xml
Here is your category sitemap: http://www.xxx.ca/sitemapcategories.xml
Here is your manufacturers sitemap: http://www.xxx.ca/sitemapmanufacturers.xml
Here is your specials sitemap: http://www.xxx.ca/sitemapspecials.xml

The command

 

php5 /homepages/x/htdocs/sites/shop/googlesitemap/index.php

 

gives these errors:-

X-Powered-By: PHP/5.2.17
Content-type: text/html

<br />
<b>Notice</b>:  Undefined index:  SCRIPT_NAME in <b>/homepages/22/d435242159/htdocs/sites/shop/includes/osc_sec.php</b> on line <b>25</b><br />
<br />
<b>Notice</b>:  Undefined index:  SCRIPT_NAME in <b>/homepages/22/d435242159/htdocs/sites/shop/includes/osc.php</b> on line <b>11</b><br />
<br />
<b>Notice</b>:  Undefined index:  SCRIPT_NAME in <b>/homepages/22/d435242159/htdocs/sites/shop/includes/osc_sec.php</b> on line <b>1007</b><br />
<br />
<b>Notice</b>:  Undefined index:  SCRIPT_FILENAME in <b>/homepages/22/d435242159/htdocs/sites/shop/includes/osc_sec.php</b> on line <b>1021</b><br />
<br />
<b>Notice</b>:  Undefined index:  SCRIPT_NAME in <b>/homepages/22/d435242159/htdocs/sites/shop/includes/osc_sec.php</b> on line <b>1029</b><br />

and does not execute the line after

 

  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

 

FYI server_info.php shows this

_SERVER["SCRIPT_NAME"]    /admin/server_info.php

SCRIPT_FILENAME           /kunden/homepages/xxx/admin/server_info.php

Any thoughts on why the cron job will not run?

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Firstly try replacing

 

if ( false !== strpos( strtolower( $_SERVER["SCRIPT_NAME"] ), osCSec_selfchk() ) ) senda404Header();

with

if ( false !== strpos( strtolower( getenv( 'SCRIPT_NAME' ) ), osCSec_selfchk() ) ) senda404Header();

For some reason your server is not recognising _SERVER[ 'SCRIPT_NAME' ] so perhaps this might work. If it doesn't then there is some sort of configuration issue with your web server.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

It looks like when googlesitemaps/index.php is run from the command line osc_sec can not identify the script being run and issues a die command but when it is run in a browser via a url it can and so everything completes sucessfully.
 

    function phpSelfFix() {
        if ( false !== ( bool )ini_get( "register_globals" ) || ( ! isset( $HTTP_SERVER_VARS ) ) )
            $HTTP_SERVER_VARS = $_SERVER;
        $filename = null;
        # this is the RC3 standard code
        $filename = ( ( ( strlen( ini_get( "cgi.fix_pathinfo" ) ) > 0 ) && ( ( bool )ini_get( "cgi.fix_pathinfo" ) == false ) ) ||
            ! isset( $HTTP_SERVER_VARS["SCRIPT_NAME"] ) ) ? basename( $HTTP_SERVER_VARS["PHP_SELF"] ) : basename( $HTTP_SERVER_VARS["SCRIPT_NAME"] );
        if ( false === $this->checkfilename( $filename ) ) {
            $filename = null;
        } else
            return $filename;
//die("    1      :<br>");

        # if RC3 fails then try a version of FWR Media's $PHP_SELF code.
        if ( empty( $filename ) && ( false !== strpos( $_SERVER["SCRIPT_NAME"], ".php" ) ) ) {
            preg_match( "@[a-z0-9_]+\.php@i", $_SERVER["SCRIPT_NAME"], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) ==
                ".php" ) && ( is_readable( $matches[0] ) || ( false !== strpos( $_SERVER["SCRIPT_NAME"],
                "ext/modules/" ) ) ) ) {
                $filename = $matches[0];
            }
            if ( false === $this->checkfilename( $filename ) ) {
                $filename = null;
            } else
                return $filename;
        }

        # if that fails then try osC_Sec $PHP_SELF code
        if ( empty( $filename ) && false !== $this->issetStrlen( $_SERVER["SCRIPT_FILENAME"] ) ) {
            $tmp = explode( "/", $_SERVER["SCRIPT_FILENAME"] );
            if ( is_array( $tmp ) ) {
                $filename = $tmp[count( $tmp ) - 1];
            }
            if ( false !== $this->checkfilename( $filename ) ) {
                return $filename;
            }
        } elseif ( ( $_SERVER["PHP_SELF"] == "/" ) || ( $_SERVER["SCRIPT_NAME"] == "/" ) ) {
            return "index.php";
        } else {
            die(); // prevent the page from executing
        }
    }

I changed the last line to
 
            die("osc die"); // prevent the page from executing
 
and the cron job now displays
 
X-Powered-By: PHP/5.2.17
Content-type: text/html

osc die
 

Do you think you will be able to alter this to check __FILE__ ( see http://www.php.net//manual/en/reserved.variables.server.php) or will a wrapper script along the lines of

 

<?php

putenv
('xxxxxxx', 'index.php');

include(/yyyyyy/yyyyy/yyyy/googlesitemap/index.php');

 

?>

 

need to be distributed.

 

Cheers

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

I think in the instance you are encountering that its best you just comment out that line

if ( false !== strpos( strtolower( $_SERVER["SCRIPT_NAME"] ), osCSec_selfchk() ) ) senda404Header();

All that does is try to prevent direct loading of the osc_sec.php file. The class will work without it. That should allow the cron to run without triggering anything in osC_Sec.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Firstly try replacing

 

if ( false !== strpos( strtolower( $_SERVER["SCRIPT_NAME"] ), osCSec_selfchk() ) ) senda404Header();

with

if ( false !== strpos( strtolower( getenv( 'SCRIPT_NAME' ) ), osCSec_selfchk() ) ) senda404Header();

For some reason your server is not recognising _SERVER[ 'SCRIPT_NAME' ] so perhaps this might work. If it doesn't then there is some sort of configuration issue with your web server.

 

Funnily enough it is getting past this check and failing on line 79

 

        # reliably set $PHP_SELF as a filename

        global $PHP_SELF;

        $PHP_SELF = $this->phpSelfFix();

 

I put die commands before and after this line and the one before stopped processing and when I removed it the one after did not get invoked.

 

If I comment out $PHP_SELF = $this->phpSelfFix(); I get

 

Status: 403 Access Denied

X-Powered-By: PHP/5.2.17

Content-Length: 0

Content-type: text/html

 

I even emptied out my trapped_txt file in the banned dir to see if that would help.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

If commenting out that line still triggers osC_Sec, then try customising the _BYPASS function

 

for example find:

        # bypass all files in a directory. Use this sparingly
        $dir_bypass = array( "/ext/modules/payment" );

and change it to 

        # bypass all files in a directory. Use this sparingly
        $dir_bypass = array( "/ext/modules/payment", "/googlesitemaps" );

Assuming googlesitemaps directory is located in the root directory. That way if that file is executed ( or any file within googlesitemaps directory ), it should bypass osC_Sec in theory.

 

Then edit the phpSelfFix with the following. On the line below:

    function phpSelfFix() {

Add

if ( false === $this->byPass() )  return 'index.php';

So it should look like:

function phpSelfFix() {
       if ( false === $this->byPass() )  return 'index.php';
// the rest of the function here.....

Its a hack of an idea, and not recommended, but lets see if that actually works.

 

osC_Sec purposefully tries to prevent rogue files reading it, and rogue command executions from making changes to it, so its actually doing its job, it just needs to be told that the google cron job is not rogue.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Seemed like a good idea but have just moved on to a new error

 

Status: 403 Access Denied
X-Powered-By: PHP/5.2.17
Content-Length: 0
Content-type: text/html
 

Don't you just love it.

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Sorry that line to change should have read
$dir_bypass = array( "/ext/modules/payment", "/googlesitemap" );

I added an s by accident. Try that first.

 

If that doesnt work, then try this then, having reverted the changes except for the first one ( SCRIPT_NAME ):

 
Find ( should be the line you first edited ):
if ( false !== strpos( strtolower( getenv( 'SCRIPT_NAME' ) ), osCSec_selfchk() ) ) senda404Header();
and add this line under it:
if ( false !== strpos( strtolower( getenv( 'SCRIPT_NAME' ) ), 'googlesitemap/index.php' ) ) return;

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

still get

 

Status: 403 Access Denied
X-Powered-By: PHP/5.2.17
Content-Length: 0
Content-type: text/html
 

 

Cheers

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

nothing in either of those fields

 

die(  strtolower( getenv( 'SCRIPT_NAME' ) ) . ":" . strtolower( $_SERVER["SCRIPT_NAME"] ));

 

displays

 

:

 

So both are empty

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Where is the server the site is located on hosted Geoffrey?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

1 and 1

 

Jack has given me an alternative cron to try.

 

cd /home/USERNAME/public_html/googlesitemap/; /usr/local/bin/php -c /home/USERNAME/public_html/php.ini -q /home/USERNAME/public_html/googlesitemap/index.php    

 

I'll let you know if it worked.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

I had to go for this in osc.php

Replace

$osC_Sec = new osC_Sec();
$osC_Sec->Sentry( $timestampOffset,$nonGETPOSTReqs,$spiderBlock,$banipaddress,$useIPTRAP,
                    $ipTrapBlocked,$emailenabled,$youremail,$fromemail,$disable_tellafriend );

with

	if ($_SERVER['PWD'] != '/homepages/xxxxx/googlesitemap') {
	  $osC_Sec = new osC_Sec();
	  $osC_Sec->Sentry( $timestampOffset,$nonGETPOSTReqs,$spiderBlock,$banipaddress,$useIPTRAP,
                    $ipTrapBlocked,$emailenabled,$youremail,$fromemail,$disable_tellafriend );
}

There are a couple more changes I made but will post in http://www.oscommerce.com/forums/topic/330175-google-xml-sitemap-seo/page-68#entry1699940

HTH someone

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Hi Taipo,

 

What are the implications of OSC Sec with OSC Version 2.3.4 especially the changes to PHP Self as detailed here: http://library.oscommerce.com/Online&en&oscom_2_3&release_notes&v2_3_4#upg6

 

Many Thanks

 

 

I think if you just include osC_Sec as normal but leave out the other custom code changes that were specifically for 2.2 then it will work fine.

 

Because osCommerce sets PHP_SELF further down in the scope, it doesn't matter what osC_Sec does earlier, it will be overwritten. Let me know how it goes for you.

 

Just a follow up to Mort's question with the change below in 2.3.4:

 

// set php_self in the local scope
  $req = parse_url($HTTP_SERVER_VARS['SCRIPT_NAME']);
  $PHP_SELF = substr($req['path'], ($request_type == 'NONSSL') ? strlen(DIR_WS_HTTP_CATALOG) : strlen(DIR_WS_HTTPS_CATALOG));

Does making the below change obsolete?  Or should we change the above line to your code anyways?

  // set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }

Thank you for your (many) contribution(s) and time.

Link to comment
Share on other sites

Use the latest code, it looks to be a solid update of the previous method of setting the $PHP_SELF.

 

The only thing needed to implement osC_Sec into later versions of 2.x is the require 

  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

But for any of the earlier versions, the standard changes apply.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 9 months later...

I was looking at Osc_sec.

 

I have Oscommerce Version : 2.3.4

Since is it stated it is for versions EARLIER than 2.3

Does Osc_Sec   do anything to help security on Ver 2.3.4 ?

I was wondering if  Osc_sec works with it, and if so what do I need to change to get it to work

 

If not, anything else to enhance security?

Link to comment
Share on other sites

osC_Sec was not designed for 2.3.4 but it has a lot of general security that it does that has and will help in the future where addon coders or even site dev make coding errors that inadvertently allow for attacks to happen.

 

Some of the code in osC_Sec was designed specifically for the older vulnerable versions of osCommerce.

 

For a simplified version of osC_Sec that does not contain the code specific for the earlier vulnerable versions of osCommerce, try the Pareto Security link in my sig.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Not on osCommerce

 

Go to https://github.com/Taipo/Pareto_Security/releases/tag/1.0.1 and download the zip file or copy paste the code from:

 

Upload it to both your includes directory. Then open both application_top.php files, navigate to:

 

// load server configuration parameters
  if (file_exists('includes/local/configure.php')) { // for developers
    include('includes/local/configure.php');
  } else {
    include('includes/configure.php');
  }

And on the next line put:

require( 'pareto_security.php' );

You can leave the other custom settings to their default setting.

 

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Upload a copy of pareto_security.php to both. Add the edit code into both application_top.php files too.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thans for the quick responce to my question. Sorry I had missed that line in your prior instructions.

 

I have installed it.

 

How do tell it is working?

I see who is online

with two new ones as being from china since I installed this.

Link to comment
Share on other sites

Try something like: ( replace http://www.yourdomainname.com/with your own shop domain )

http://www.yourdomainname.com/?id=UNION+SELECT+FreeEnergy+FROM+Ether+WHERE+TypeId=1

This simulates what a database injection attempt might look like.

 

If its working then the page will not load.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...